Persistent router botnets on the horizon, researcher says at Defcon

Security researcher Michael Coppola demonstrated how small and home office (SOHO) routers can be compromised and turned into botnet clients by updating them with backdoored versions of vendor-supplied firmware.

Coppola, who is a security consultant at Virtual Security Research (VSR), gave a crash course in router firmware backdooring -- a complicated process that requires reverse engineering skills -- at the Defcon hacker conference on Sunday.

During the talk he also released a tool called the Router Post-Exploitation Framework (rpef) that automates the firmware backdooring process for several popular router models from different vendors.

Only specific versions of these routers can be backdoored with the framework and some require more testing. However, the list of supported devices will be extended in the future.

Rpef can add several payloads to the router firmware: a root bind shell, a network sniffer or a botnet client that connects to a predefined IRC (Internet Relay Chat) server where it can receive different commands from the attacker, including one to launch a denial-of-service attack.

Writing the backdoored firmware onto a device -- a process also known as flashing -- can be done through the Web-based administration interfaces of most routers and a remote attacker can abuse this feature in several ways.

One method is to scan the Internet for routers that make their Web-based administration interface accessible remotely. This is not the default setting in many routers today, but a lot of devices configured like this are available on the Internet.

Once these devices have been identified, the attacker could attempt to use the default vendor-supplied password, brute force the password or exploit authentication bypass vulnerabilities to get in. There are websites that specialize in tracking and documenting router default administrative credentials and vulnerabilities.

"I've done port scans and there are huge netblocks with thousands of IP addresses of open routers that are listening remotely to the Internet with default passwords," Coppola said.

However, even when the Web interface is not exposed to the Internet, there are ways to flash them with rogue firmware remotely.

In a presentation at the Black Hat security conference on Thursday, security researchers Phil Purviance and Joshua Brashars, who work for security consultancy firm AppSec Consulting, showed how known JavaScript attacks can be combined with new HTML5-based techniques to flash the DD-WRT Linux-based custom firmware on a user's router when he visits a malicious website.

There are already JavaScript-based scripts available that can enumerate local network devices through a victim's browser and even determine the type, make and model of those devices -- a technique known as device fingerprinting.

Determining the victim's internal network IP address cannot be done with JavaScript alone, but plug-in based content like Java can be used for this purpose, Purviance and Brashars said.

Once a router has been identified, the attacker can attempt to access its Web interface through the victim's browser by using default credentials or by launching a cross-site request forgery (CSRF) attack that piggybacks on the victim's active session.

If the victim logged into the router's Web interface with the same browser in the past and their session cookie is still active, the attacker can simply direct the victim's browser to perform an action in the router's interface without the need for authentication.

A lot of routers, especially older ones that haven't been updated with new firmware, don't have CSRF protection.

Purviance and Brashars demonstrated how new browser features like XMLHttpRequest Level 2 (XHR2), Cross-Origin Resource Sharing (CORS) and HTML5 File API, can be used to download a rogue firmware file to the user's browser and then flash the router with it without any user interaction. This was not possible in the past with JavaScript and older browser technologies, the two researchers said.

Their demonstration used DD-WRT, which has the downfall of resetting the router's user-defined settings and can be discovered easily because it has a different interface.

However, their attack can easily be combined with the backdoored firmware produced by Coppola's tool. Instead of DD-WRT, one can upload a backdoored firmware and it will look exactly the same as the original one, Coppola said.

Even the user-defined settings can be retained. Most routers offer the option to retain settings when performing a firmware update, Coppola said. Those settings are stored on a separate memory chip called NVRAM (non-volatile random-access memory) that doesn't get overwritten when you flash the firmware, he said.

"There's a lot of opportunity for people to make massive botnets just from routers," Coppola said. "I actually do think that this is going to start emerging and I don't mean that in a sensational way."

Router-based botnets are not just a concept. Back in 2009, DroneBL, an organization that tracks the IP addresses of infected computers, discovered a worm that was infecting routers and DSL modems running the mipsel Debian distribution.

In 2011, researchers from antivirus vendor Trend Micro came across a similar piece of malware that was spreading in Latin America and was targeting D-Link routers.

In both cases, the malware was using brute force attacks and default credentials to compromise the routers and install a temporary botnet client that was being removed when the routers rebooted.

With the backdoored firmware created by Coppola's tool, the infection persists when the device is restarted and the rootkit-type malware running on the device is actually hidden.

The reason why router botnets are not yet common is that the proper tools to create them didn't exist, Coppola said. A separate tool presented at Defcon on Friday called the Firmware Reverse Engineering Konsole (FRAK) really increases the level of analysis that people can do on firmware, he said.